Transcript Slide 1

HIPAA Implementation at
UNC School of Medicine
Dennis A. Schmidt, MS, CISSP
Director, Office of Information Systems
HIPAA Security Officer
UNC School of Medicine
March 12, 2007
Agenda
•
•
•
•
•
•
•
•
Overview of HIPAA
Overview of the Privacy Regulation
Protected Health Information
Parts of the Privacy Regulation
Patient Rights
Penalties
HIPAA Security Regulations
Implementation at UNC School of
Medicine
What is HIPAA?
• HIPAA stands for the Health Insurance
Portability and Accountability Act, a federal
law passed in 1996 that affects the
healthcare and insurance industries.
HIPAA Parts
• HIPAA has several parts:
» Electronic Transactions and Code Sets
Standards
» Privacy Requirements
» Security Requirements
» National Identifier Requirements (NPI)
• This presentation will focus on the Privacy
and Security Requirements.
Who Is Subject to HIPAA?
• Health Care Providers
» Any provider of health care or other health
services, or supplies, who transmits health
information in electronic form in connection
with a transaction for which standard
requirements have been adopted.
• Health Plans
» Any individual or group plan that provides or
pays the cost of health care.
• Health Care Clearinghouses
» A public or private entity that transforms health
care transactions from one format to another.
7/20/2015
5
Affiliated Covered Entities
• Any organization that provides patient care
and bills electronically is subject to HIPAA.
• Those organizations are classed as “Covered
Entities”
• UNC Health Care is a Single Affiliated
Covered Entity, consisting of:
»
»
»
»
7/20/2015
UNC Hospitals
UNC Physicians and Associates
UNC School of Medicine
Rex Hospital
6
HIPAA Cost Neutral (????)
• Streamlining codes and transactions sets
theoretically offsets the overhead costs
incurred to support privacy and security.
• No real savings have yet been realized from
codes and transaction sets.
• Many organizations do not benefit from codes
and transactions savings.
7/20/2015
7
HIPAA Privacy Rule
• Went into effect April 14, 2003
• The main goal of the Privacy Regulation is to
protect the use and sharing of Protected
Health Information (PHI).
What is PHI?
• Protected Health Information
PHI is any health information that can be
used to identify a patient and which relates to
the patient, healthcare services provided to
the patient, or the payment for these
services.
Examples of PHI Identifiers
• Employer
• Relatives’
Names
• Telephone
Numbers
• Fax Numbers
• E-Mail Address
• Medical Record
Number
• Social Security
Number
• Codes
• Fingerprints
• Occupation
• Photographs
• Certificate
Numbers
Privacy Regulation Requires
• We cannot use or disclose PHI unless it is
required or allowed by law, or when the
patient has given permission.
Privacy Rule Principles
• The Privacy Regulation, or Privacy Rule, is
made up of several parts.
These include the following:
• Accountability:
» Anyone who misuses PHI will be subject to
losing their job along with civil and/or criminal
penalties.
Privacy Rule Principles cont…
• Responsibility to the public:
» Addresses the need to keep the public healthy
and safe, but at the same time protect the
privacy of all patients.
• Boundaries:
» PHI should be used for healthcare purposes
only.
Privacy Rule Principles cont…
• Security:
» PHI needs to be kept confidential and
accessed on a need to know basis.
• Patient Control:
» The Patient has the right to ask us for a
listing showing when and to whom their PHI
has been shared. (Accounting for
Disclosures.)
Patient Rights
• The Privacy Rule calls for letting patients
know their privacy rights.
These rights are as follows:
• The patient has the right to obtain a copy of
our Notice of Privacy Practices.
• The patient has the right to access their PHI.
It’s their information, not ours.
• The patient has the right to ask for
corrections in their own PHI.
Patient Rights (cont’d)
• The patient has the right to control how PHI
about them is shared.
• The patient has the right to “opt out” of being
listed in hospital directories.
• The patient has the right to file a complaint if
we do not follow our privacy policies.
Penalties
There are penalties for not following HIPAA
requirements.
• You can lose your job.
• You and your facility can be forced to pay up
to $250,000 and spend up to 10 years in jail.
HIPAA
Security Rule
Final Security Rule
• Published in Federal Register on February
20, 2003
• Effective Date: April 21, 2005
• Scope narrowed to Electronic PHI Only
• All other PHI covered by Privacy Rule
Protected Health
Information (PHI)
• Identifiable Health Information that is
» Transmitted by electronic media
» Maintained in electronic media
» Transmitted or maintained in any other
form or medium
• Excludes health information in
» Education records covered by Family
Educational Rights and Privacy Act
» Employment records held by a covered
entity in its role as employer
Definitions
• Standards
• Required Implementation
» Covered entity must implement the
implementation specifications
• Addressable Implementation
» Entity must assess whether
implementation specification is reasonable
and appropriate safeguard
» Implement if reasonable
» If not reasonable
• Document why
• Implement alternative measure if reasonable
and appropriate
Security Standards Matrices
•
•
•
•
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Security Standards are required to be
implemented
• Implementation Specification is either
» Required or
» Addressable
Administrative Safeguards
• Security Management Process
»
»
»
»
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
• Assigned Security Responsibility
• Workforce Security
» Authorization and/or Supervision
» Workforce Clearance Procedure
» Termination Procedures
Required
Required
Required
Required
Required
Addressable
Addressable
Addressable
Administrative Safeguards
• Information Access Management
» Isolating Healthcare Clearinghouse Function
» Access Authorization
» Access Establishment and Modification
• Security Awareness and Training
»
»
»
»
Security Reminders
Protection form Malicious Software
Login Monitoring
Password Management
Required
Addressable
Addressable
Required
Addressable
Addressable
Addressable
Addressable
Administrative Safeguards
• Security Incident Procedures
• Contingency Plan
»
»
»
»
»
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Applications and Data Criticality Analysis
• Evaluation (replaces Certification)
• Business Associate Contracts (Written)
Required
Required
Required
Required
Addressable
Addressable
Required
Required
Physical Safeguards
• Facility Access Controls
Required
» Contingency Operations
Addressable
» Facility Security Plan
Addressable
» Access Control and Validation Procedures
Addressable
» Maintenance Records
Addressable
• Workstation Use
• Workstation Security
• Device and Media Controls
»
»
»
»
Disposal
Media Re-use
Accountability
Data Backup and Storage
Required
Required
Required
Required
Addressable
Addressable
Technical Safeguards
• Access Control
»
»
»
»
Unique User ID
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
• Audit Controls
• Integrity
Required
Required
Addressable
Addressable
Required
Required
» Mechanism to Authenticate Electronic PHI
Addressable
• Person or Entity Authentication Required
• Transmission Security
» Integrity Controls
» Encryption
Addressable
Addressable
“Due Diligence”
• HIPAA expects entities to use Due Diligence
when protecting PHI.
• Definition of Due Diligence is constantly
changing/evolving and subject to
interpretation.
• Your definition of Due Diligence may be
different from a plaintiff’s definition.
• Following industry standards probably fits in
Due Diligence – but that’s just MY
interpretation.
7/20/2015
28
HIPAA Implementation at UNC
7/20/2015
29
Implementation Structure
• UNC HCS HIPAA Oversight
Committee
• UNC HCS HIPAA Policy Committee
• HIPAA Implementation Teams
»
»
»
»
UNC Hospitals
Rex Healthcare
UNC P&A
UNC School of Medicine
HIPAA Committees
• UNC HCS
»
»
»
»
»
»
»
HIPAA Oversight Committee
HIPAA Policy Committee
HIPAA Education Committee
HIPAA Privacy Subcommittee
HIPAA Security Subcommittee
HCS Physical Inspection Team
Security Incident Response Team (SIRT)
• SOM
» HIPAA Planning and Oversight Counsel
» HIPAA Security Team
• UNC
» HIPAA Security Liaisons
» HIPAA Planning Committee
7/20/2015
31
HIPAA Implementation
Approach
• Health Care System Approach
» Standard Policies Across HCS
• UNC Hospitals
• UNC Physicians & Associates
• Rex Hospital
• School of Medicine
Implementation Tasks
• Inventory of individually identifiable
electronic health information, including
information kept on personal computers
and research databases
• Risk assessment to evaluate potential
risks and vulnerabilities to individually
identifiable electronic health information
• Collect and review existing privacy and
security policies
• Create new, compliant UNC HCS privacy
and security policies
Implementation Tasks cont.
• Review and revise admission,
treatment, and consent forms
• Create additional HIPAA-required
forms (including Notice of Privacy
Practices, Business Associate
Agreements, Chain of Trust
Agreements)
• Educate staff about privacy and
security policies, including sanctions
for violations - incorporate into
compliance program
Implementation Tasks cont.
• Designate privacy and security officers
in each entity
• Review and revise vendor contracts to
ensure that business associates
protect privacy of identifiable health
information
• Enter into Business Associate
Agreements with business associates
• Evaluate audit trails and develop
additional tracking techniques to
ensure a record of all use/disclosure of
patient information
Implementation Tasks cont.
• High Level Assessment & Gap
Analysis
» Inventory of Patient Information (PHI)
• Information Flow Assessment
» Detailed Security Assessment and
Risk Analysis
• Must be done by Every
Department/Division
• Risk Doctor
Implementation Tasks cont.
• Education & Training – Entire Workforce
»
»
»
»
On-line Modules developed by UNC HCS
Initial Module – HIPAA 101 for all
Follow on Modules based on job function
Training to be conducted and tracked by
Departments/Divisions
Implementation Tasks cont.
• Security Related Requirements
» Formal mechanism for processing records
• Creation, receipt, storage, transfer, disposal of
PHI
» Personnel Security Clearance Process
» Written procedures for access to PHI
» Documented termination procedures to
include notification of IS organizations
» Workstation controls
» Disaster Recovery Plan
SOM HIPAA Policies
•
•
•
•
•
•
•
•
•
•
•
•
UNC HCS Information Security Policy
UNC HCS Privacy/Confidentiality of PHI
Electronic Media Disposal Policy
End User Account Policy
Orientation and Termination Checklists
Network Security Policy
Desktop Configuration Policy
Password Policy
Remote Access Policy
Handheld Computing Devices Policy
Audit Policy
Web Security Policy
7/20/2015
39
Implementation Team
Responsibilities
• Education & Training
• Coordinate assessments and
information gathering
• Participate on HIPAA workgroups
• Develop and implement unit-specific
policies
• Assist in the development and
dissemination of new global policies
and procedures
• Assess physical security (higher level
policies anticipated)
• Ongoing…..
Specific Issues &
Concerns with HIPAA
Implementation
7/20/2015
41
Documentation
• To prepare for HIPAA, we did not make many
changes to our architecture or procedures.
• We just had to document what we were
already doing.
7/20/2015
42
Cultural Change for our
Users
7/20/2015
43
People Do Not Like Change
• “When an opportunity comes to consign
you all to the nether regions there will be a
rush to make it so.” -Basic Sciences PHD
in response to password change requirement
• “…if this was the private world, I would
FIRE YOU…and if I saw you in the hall I
would tell you to ‘flip off!’” - Physician in
response to password change requirement
HIPAA Extends Well Beyond IT
•
•
•
•
•
Protect information regardless of media
Provide physical safeguards
Personnel issues (training, sanctions)
Liability protections (contracts, insurance)
Revise business & clinical processes to
comply
Policy Development
• Wrote higher level Information Security Policy
to cover all of HCS
• Formed numerous committees to help write
lower level policies for School of Medicine
• Important to get user “buy-in”
• Enforcement is still an issue
» Not enough resources to audit units
• Policies approved by the Dean ‘s Office
7/20/2015
46
Media Disposal Policy
• First HIPAA related policy
• Requires all media (hard drives, etc.) to be
sanitized properly with disk wiping software
before leaving university control.
• Written by School of Medicine, adopted by
UNC and UNC Hospitals.
• Developed in response to actual incident.
Password Policy
• New requirements:
» Strong passwords
» Change every 90 days
» No “group” accounts
• Most significant HIPAA change for our
users
7/20/2015
48
Risk Assessments
•
•
•
•
Very resource intensive
Difficult to get units to do their own
Used Raytheon “Risk Doctor” for first round
Purchased “HIPAA Watch” for second round
» Allowed us to push questions out
electronically to departments
• On going risk assessments are constant
resource drain.
7/20/2015
49
Disaster Recovery Plans
• Very difficult to do
• Using Living Disaster Recovery Plan System
(LDRPS)
7/20/2015
50
Encryption
• Addressable item in HIPAA Security Rule
• Currently using “other” means of protection
• Exploring encryption solution for laptops and
desktops
• Due Diligence has evolved to now include
encryption of data.
7/20/2015
51
Changes in Network Security
• Additional Router filters for firewall like
protection
• Tipping Point intrusion prevention
» Early detection of malicious activity
» Blocking Peer to Peer traffic in SOM
» Blocking Skype traffic in SOM
•
•
•
•
VPN
Firewalled Secure Zone
Expanded VLAN (802.1Q) technology
Switches and routers in private IP space
7/20/2015
52
Physical Security
• All School of Medicine buildings are alarmed
and card swipe access after hours
• Sensitive floors are card swipe access 24/7
• ID Badge policy
• Additional secure server rooms for
departmental servers
7/20/2015
53
Patient E-mail
• Tumbleweed Secure Server
• Activated when user puts (secure) in subject
line.
• Stores message on secure server
• Sends “you’ve got mail” link to recipient
• Recipient clicks on link to read secure
message
• Weak security if users are not authenticated
when viewing message
7/20/2015
54
Mobile Memory Devices
• Wide scale proliferation of Mobile Memory
Devices (PDAs, Smartphones, Blackberries,
etc.) is major problem in Health Care
organizations
• Easily lost or misplaced.
• Lack of centralized control
• Task force formed by NCHICA (North
Carolina Healthcare Information and
Communications Alliance, Inc.) to address
the problem
HIPAA Resources
•
•
•
•
www.hhs.gov/ocr/hipaa/
www.med.unc.edu/hipaa
www.nchica.org
Academic Medical Center Conference on
Privacy & Security
» Friday Center, Chapel Hill
» June 10-13
Questions??
7/20/2015
57